ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

40K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $meta_query used in $wpdb->get_results($meta_query)\n$meta_query assigned unsafely at line 1875:\n $meta_query = $wpdb->prepare(\n "SELECT meta_key, meta_value\n FROM {$meta_table_name}\n WHERE category_id = %d",\n $category_row['id']\n )\n$meta_table_name assigned unsafely at line 1815:\n $meta_table_name = $wpdb->prefix . 'ppma_author_categories_meta'

Unescaped parameter $meta_query used in $wpdb->get_results($meta_query)\n$meta_query assigned unsafely at line 1972:\n $meta_query = $wpdb->prepare(\n "SELECT category_id, meta_key, meta_value\n FROM {$meta_table_name}\n WHERE category_id IN ($placeholders)",\n ...$ids\n )\n$meta_table_name assigned unsafely at line 1815:\n $meta_table_name = $wpdb->prefix . 'ppma_author_categories_meta'

Unescaped parameter $meta_table_name used in $wpdb->query($wpdb->prepare(\n "DELETE FROM {$meta_table_name} WHERE category_id = %d",\n $category_id\n ))\n$meta_table_name assigned unsafely at line 207:\n $meta_table_name = AuthorCategoriesSchema::metaTableName()

Affected Plugins

Plugins that have instances of this rule violation

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

publishpress-authors

Unescaped parameter $orderby used in $wpdb->get_results($wpdb->prepare(\n "SELECT t.name, t.term_id, tt.term_taxonomy_id FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON tt.term_id = t.term_id INNER JOIN $wpdb->term_relationships AS tr ON tr.term_taxonomy_id = tt.term_taxonomy_id WHERE tt.taxonomy IN (%s) AND tr.object_id IN (%s) $orderby $order", self::$coauthor_taxonomy,\n $object_ids\n ))\n$orderby assigned unsafely at line 1105:\n $orderby = 'ORDER BY tr.term_order'

Unescaped parameter $parsedArgs['order'] used in $wpdb->get_results("\n SELECT\n p.*\n FROM\n {$wpdb->posts} AS p\n LEFT JOIN (\n SELECT\n tr.object_id, tr.term_taxonomy_id\n FROM\n {$wpdb->term_relationships} AS tr\n INNER JOIN {$wpdb->term_taxonomy} AS tt ON (tr.term_taxonomy_id = tt.term_taxonomy_id)\n WHERE\n tt.taxonomy = 'author') AS str ON (str.object_id = p.ID\n )\n WHERE\n p.post_type IN ('" . implode('\',\'', $parsedArgs['post_type']) . "')\n AND p.post_status NOT IN('trash')\n AND str.term_taxonomy_id IS NULL\n ORDER BY {$parsedArgs['orderby']} {$parsedArgs['order']}\n LIMIT {$parsedArgs['paged']}, {$parsedArgs['posts_per_page']}\n ")